Cyber Defense Initiative 2014

DFIR NetWars Tournament

For those learning to become a fireman, it is hard to learn how to fight a fire by simply reading a book. You need to battle an actual fire in order to gain the experience needed so when you are fighting the real thing you know what to do.

Incident response and digital forensics have the same challenge. Typically, expertise and proficiency, such as "muscle memory," is forcefully developed only when an incident occurs. Having your team make common mistakes during an incident is unacceptable. A single mistake might place your organization at a greater risk. DFIR Netwars Tournament is unique in that it provides time-limited challenges that can be used to test the skills you've mastered and, at the same time, help you identify the skills you are missing.

SANS DFIR NetWars Tournament is an incident simulator packed with a vast amount of forensic and incident response challenges, for individual or team-based "firefights." It is developed by incident responders and forensic analysts who use these skills daily to stop data breaches and solve complex crimes. DFIR NetWars Tournament allows each player to progress through multiple skill levels of increasing difficulty, learning first-hand how to solve key challenges they might experience during a serious incident. DFIR NetWars Tournament enables players to learn and sharpen new skills prior to being involved in a real incident.

DFIR NetWars Tournament Topics:

DFIR NetWars Tournament is packed with challenges covering host forensics, network forensics, and malware and memory analysis. Each NetWars Tournament level is designed to not only exercise an individual's capabilities to solve a particular problem, but teach them proper analysis techniques regardless of the toolset they use. SANS DFIR NetWars Tournament is unique as it truly tests a blue team's capabilities to perform in real-world situations by solving a series of unique challenges commonly found during major incidents. DFIR NetWars Tournament also helps organizations evaluate performance and identify areas where their response teams might need to obtain additional knowledge.

How DFIR NetWars Tournament works:

Each player signs into the NetWars environment where they will face answering multiple levels of questions regarding an incident. We provide multiple evidence files to answer questions from - system, network, memory, and malware samples.

Answer a question right - you will earn points on the DFIR NetWars Tournament scoreboard.

Answer a question wrong - you will get points deducted after the second incorrect answer on the same question.

Don't know where to start, need a refresher? Request a series of hints to guide your analysis.

Each player can observe their ranking compared to other players. The player with the highest score at the end of DFIR NetWars Tournament wins.

DFIR NetWars Tournament Sample Questions - Level 1

DFIR NetWars Tournament Sample Questions - Level 3

DFIR NetWars Tournament Scoreboard

How to Level Up in DFIR NetWars Tournament:

Players progress through the levels by answering questions and earning points. The next level will unlock after a number of points is obtained. The points are cumulative across all levels. The better you do on one level, the quicker the next one will open itself up. There are currently five levels in DFIR NetWars Tournament. Levels 1 and 2 are designed to be approachable by those completely new to forensics and include hints that will not only help answer the questions, but teach the players specific techniques as they progress. The upper levels are meant to challenge you and expose where your skills need more work.

The DFIR NetWars Tournament Tool Armory:

It is not the tool that makes a good forensicator, but being able to apply the tool or technique at the right time and under the right conditions to accurately solve critical challenges. We allow participants to bring any toolset or capability to our challenge. Challenge answers should not change if you utilize a different tool to solve them. That is one of the things that makes SANS DFIR NetWars Tournament truly special -- we test the skills of the analyst and not their ability to navigate a specific toolset. If you do not bring your own tools, SANS DFIR NetWars Tournament will provide you with the SIFT Workstation, a free collection of tools that can be used to solve every challenge in the game.

Best of the Best

Downloads

Share

As a SysAdmin, I found this course invaluable. It not only gave me the skills I need to audit my own systems, but also gave me some insight on how to better work with external auditors.Christoper O'Keefe